Max Vozeler discoveredt hat the lockmail program from maildrop, asimple mail delivery agent with filtering abilities, does not dropgroup privileges before executing commands given on the commandline,allowing an attacker to execute arbitrary commands under with groupmail privileges.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed inversion 1.5.3-1.1sarge1.

For the unstable distribution (sid) this problem has been fixed inversion 1.5.3-2.

We recommend that you upgrade your maildrop package.

Upgrade Instructions- --------------------

wget url will fetch the file for youdpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line forsources.list as given below: